Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 98000c31bef9a5a2…

MALICIOUS

Office (OOXML)

775.5 KB Created: 2011-09-04 17:54:33 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2021-09-27
MD5: 03fa2857594202e92abebcb17e69adf4 SHA-1: fe1f0d6e64f29c7e04f084da4e33a8595c7bc815 SHA-256: 98000c31bef9a5a2cb094d2b41c8755bfdb8ac253ad692bc38d1bde0f68f5180
366 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File T1105 Ingress Tool Transfer

The sample is an OOXML document containing a Workbook_Open VBA macro. This macro utilizes WScript.Shell to execute commands, likely to download and run a second-stage payload from one of the embedded URLs. The presence of multiple high-severity heuristics related to VBA macro execution and shell calls strongly indicates malicious intent.

Heuristics 12

  • VBA project inside OOXML medium 8 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • Auto_Close macro high OLE_VBA_AUTOCLOSE
    Auto_Close macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
  • External hyperlinks (1) low OOXML_EXTERNAL_HYPERLINKS
    Document contains 1 external hyperlink — clickable URLs are stored as external relationships. First target: ../../../ibip/bdc_recording.txt
  • Hidden worksheet (veryHidden, hidden) low OOXML_HIDDEN_SHEET
    Excel workbook contains 8 hidden sheet(s) — hidden sheets are commonly used to conceal macro code, staging data, or intermediate payload construction
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.rondebruin.nl/win/winmail/Outlook/tips.htm Document hyperlink
    • https://www.se80.co.uk/saptabfields/Document hyperlink
    • https://www.se80.co.uk/saptabfields/�Document hyperlink
    • http://schemas.microsoft.com/office/2006/01/customuiDocument hyperlink
    • http://schemas.microsoft.com/office/2009/07/customuiDocument hyperlink
    • https://gumroad.com/l/oNRSyDocument hyperlink
    • https://vimeo.com/153600853Document hyperlink

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 305702 bytes
SHA-256: 7026c032f499b63117b0f6351548a477acb7728268146602a3b22d92be94fe74
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Option Explicit

Public strComputerName



Private Sub Workbook_Open()
Dim strFolderName, strFileFullName As String
Dim strFolderExists As String
Dim WshShell As Object
Dim lv_name$


    End                     '????????????????

    Set WshShell = CreateObject("WScript.Shell")

    lv_name = Left(application.ThisWorkbook.name, 8)
    If lv_name <> "ibiptool" Then
        application.ActiveWindow.Close SaveChanges:=False
        ActiveWorkbook.Close SaveChanges:=False
    End If


    'fill the system dropdownlist
    Call getlogonsys
    
    

End Sub


Attribute VB_Name = "Sheet4"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Option Explicit


Attribute VB_Name = "Sheet8"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet12"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Option Explicit

Private Const MODULE_NAME$ = "sheet_recorder"

Private Const SHEET_DICTIONARY$ = "Dictionary"

Private Sub Worksheet_BeforeDoubleClick(ByVal Target As Range, Cancel As Boolean)
   ' updateDataForTableFieldAuto Target
End Sub



Private Sub Worksheet_Activate()


'If Sheets("support").Visible = True Then
'  Sheets("support").Visible = False
'End If
'
'If Sheets("SYSTEMS").Visible = True Then
'  Sheets("SYSTEMS").Visible = False
'End If
'
'
'If Sheets("database_rec").Visible = True Then
'  Sheets("database_rec").Visible = False
'End If
'

If Sheets("Ribbon_EngHeb").Visible = True Then
  Sheets("Ribbon_EngHeb").Visible = False
End If


ActiveWorkbook.Worksheets("recorder").Range("1:3").EntireRow.Hidden = True


ActiveWorkbook.Worksheets("SYSTEMS").Visible = xlSheetVeryHidden
ActiveWorkbook.Worksheets("support").Visible = xlSheetVeryHidden
ActiveWorkbook.Worksheets("templates").Visible = xlSheetVeryHidden
ActiveWorkbook.Worksheets("bdc_rec").Visible = xlSheetVeryHidden
ActiveWorkbook.Worksheets("database_rec").Visible = xlSheetVeryHidden
ActiveWorkbook.Worksheets("dictionary").Visible = xlSheetVeryHidden

If Sheets("SYSTEMS").Visible = True Then
  Sheets("SYSTEMS").Visible = False
End If

End Sub




Attribute VB_Name = "Sheet7"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Option Explicit

Attribute VB_Name = "Sheet10"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C00
... (truncated)
vbaProject_00.bin vba-project OOXML VBA project: xl/vbaProject.bin 1390592 bytes
SHA-256: 1997ba8d1001ddbf7ee77a536774d44ffe9bf518bf748f7feff868ca6878c677

Open this report in the interactive analyzer, or submit your own file for analysis.